12. Understand Netflow
Next important topic, we have NetFlow and flexible NetFlow. Now as the It evolve and as we need to analyze more and more data with respect to security analysis, with respect to troubleshooting, with respect to network analysis, we need to learn and understand the flow or the record. So for that reason we have NetFlow. And again if you see the versions of NetFlow, you’ll find that we have NetFlow from version one to 95 is most important and actually most popular. Now, what’s the difference? You will see the main difference here is that in version one we have less capability that we can analyze this number of fields in the flow of the traffic flow rather than if you go and see, say, for example, version nine where you have much capability to analyze the flow means we have much more option, much more capability to see inside the flow, what type of headers and fields we have.
We’ll see that how many fields that we can analyze inside your flow in different versions. Now here we can see that, say for example you have source and you may have destination and then you are using NetFlow. So what are the things that you can check? Again we’ll see that we have multiple options to verify, but at least we can go and check the IP addresses, source and destination, the port numbers, source and destination, port protocol, packet sent, packet to receive if you have any tagging related to source and destination and then various TCP flag. Now this information is used because this is going to answer us five different WS. So who is sending means what is the source and destination IP, what’s the port, where it is sending, what is the destination IP, so who and where? Again related to the addresses, what they are sending.
So which application they are using, what are the port numbers they have. So who, where, what, how? Again you can see that how many packets or bytes they are sending. So here you can see the packet counter, the byte counter and when they are sending, that’s the time stamp at what time this transaction happened. So again we are getting five W answer who, where, what, how and when. And that’s important, that’s important to do the analysis with respect to either security or network analysis. Now again, if you want to correlate this with the phone book, again you will get to know that NetFlow equal to the flow inside that flow, who, what, where, when, all these information we are getting with respect to flow. Now the next important question is that which version should we use?
Again we have version one up to nine and five is most popular. So here you can see that for example in the popular version that’s version five, what are the content and again the description. So we can go and check the addresses, we can check the next hop, the SNMP index packet flow total number of L, three byte system up time, TCP, UDP port. If you have any flag, again you can see these key information. Again the argument is there. So still the version five is not giving us each and everything inside the flow. If I want to see more and more number of fields then what version we should use? So here you can see in this chart that version five is giving only 18 exportable fields.
There are some limitations as well that they are fixed with IP before they have fixed level length single flow cache. Okay, so there are advantage with version five, but there are certain disadvantages as well with version five. Then we have version nine. Now version nine is complex based, it is much more robust. It can have the MPLS and BGP supported fields as well. It is going to support 10 four fails. So you can see 18 versus 10 four fails. But again it has limitations that IPV six flows are exported inside IPV four, fixed length field, use more memory, slow performance, single flow cache.
So you can see although you have ease of use. But on the other side it is consuming much more resources. So if it is easy to use, it is giving less number of fields. If you are using more much robust options then at the rate of high memory and slow performance, et cetera. Okay, again we have the flexible NetFlow, that is again using version nine. So you can think that version nine one or nine dot two, that’s a flexible NetFlow. This supports flow monitor, supports selectable key fields for IPV six, supports NBAR network based application recognition protocol and even the Cisco who has made this NBAR just to analyze the application.
And I have given so much theory related to NBAR in my SDWAN curriculum because if it is a Cisco device, for example ISR or any type of Cisco device at that time, n by two can recognize the metadata of application and they can recognize up to 1400 plus applications rather than the other vendors. Also they are claiming that they can recognize more and more, but again we can recognize the application with the NBAR. And in this Netflix these are supported.
13. Netflow Configuration
In this session we are going to learn about the terminology and we are going to learn that how we can collect all these pieces and then we can go and configure the next flow as well. So let’s start. First of all flow we know that we are going to analyze the traffic flow. So whenever I have a flow, obviously that particular traffic flow or flow having various type of key and non key. So what does it mean by key and non key? We will go and understand that but at this point of time we can think that there may be some mandatory things, there may be some optional things that we want to collect or measure, correct? So according to that we can categorize these as a key and nonkey that we’ll see starting with flow they have the key field like source IP, destination IP, port number, protocol et cetera.
Then we have the flow record. Again the record you can think as an office and file system. In a file you are putting all the records of all the customer or clients. So like that you may have record what you want to collect and this record may be key values, this record may be non key values or mix of both, correct? So generally it is key plus non key value that is there in the record. Then we have flow collector where you want to collect this flow. What is your destination server that we can go and give the collector IP template based configuration nowadays we are using even if you go and check the SDWAN configuration inside SDWAN, nowadays we have option for NetFlow plus the SDWAN own C flow template. So both the things are there.
There we need to create the template as well. Template is again the format where you are putting various parameters. Then the exporter exporter is nothing but you are going to collect the information and you have the exporter where you want to analyze all these things. Finally the net flow generator that is nothing but who is going to generate the flow that’s the devices to whom we want to analyze the flow. Okay, now again all these terms when we are going to do the configuration, at least when we’ll see the configuration we’ll find that where we are going to use all these configuration options. The traditional NetFlow configuration is very easy and straightforward. What you have to do that you go and first of all define the export version. Then who is your destination and the port number.
So destination IP and the port number. This IP is your NetFlow collector IP, maybe any type of server which interface you want to enable. I can go and use IP flow in egress I can go and use IP flow egress so both options are there. Let me quickly log into the device and let me show you that how you can go and do these configurations. So here I am I can go to the flow export version and here you can see that we have one, five and nine. I can go and use five then IP flow export destination. I can go and give 192, one, six, eight say 56 one, that’s my server and then I can go and give the port number say 200:55. Then I can go and check the interfaces. So I have interface say for example 15 and I can go and use IP flow and here you can see that we have option.
First of all I should make this as IP interface because by default it was the l two interface and then I can go and use IP flow ingress if I want I can use IP flow egress as well. We can go and check the configuration and if you want to filter you can use the flow option. So here we can see that it’s very easy and straightforward that you can go and do the configuration for the traditional NetFlow. Now the next very important thing we have is the flexible NetFlow. Most of the places you will see that we are using the flexible NetFlow and the key term there is that you should know that what is your key item versus your non key item. So we have the mandatory and optional things, anything that will start with match option that will be the key field.
So toss type of service protocol, so port number et cetera. Then anything that is collecting that will start with the collect option that will be the non key item correct. So TCP, flag, bite, long packet long, absolute first et cetera. Again this also if you want to do the configuration. So now you can go and give IP flow and what version you want to do here. So IP flow export version say for example nine and then we can go and use flow. Let’s do the configuration for this as well.
Say for example flow record and we are inside the sampler say match. So here we can see that with this particular version and here you can see the version of the image the twelve four flexible NetFlow is not supported. So what we’ll do that we’ll check this configuration in the other version where we have the FNX support. So here you can see that we can go and create the flow record. Again we have learned that NBAR two is supported inside version two, version nine and whenever we have this network based application recognition software or the feature nowadays Cisco has learned the NBAR VM as well that we can check inside SDWAN software module, inside Cisco software downloads. So now we have this feature to analyze the application how actually it is analyzing the application. So here you can see that whenever the traffic will go and hit the router or the device where you have enabled the NBAR capability.
So suppose someone is surfing the website and then the packet will go and hit this device and NBA is enabled as per this record. So here you can see that flow record has IP before source address, destination address. The key thing here is that they are matching the application name as well. So once they have the application matching criteria enabled inside the NetFlow, then they can go and hit and match that application and in the flow certainly you can go and see that you have the source, IP, destination, IP, everything, and then you have the application matching name as well.
Okay, so that’s the power we have with the integration of NetFlow with flexible NetFlow, NetFlow with NBAR. So NBAR is giving us much more visibility inside the flow of that particular traffic. All right, so how we can go and configure here you can see that you can go and create the exporter who is your destination, where you want to export. Then you can match the key and non key items like match and collect keyword. Then inside the monitor you can call zero one and zero two. That is the flow exporter and flow record. And then obviously you should go and apply over the interface. So these are the steps that we can go and use to enable the NetFlow. Now there are some use cases the point here is that at what particular point and how much match statement we need, how much collect statement we need and that depends upon what exactly we want to analyze.
So for example in client and server communication here you can see that for the client server state you can go and match the DSCP protocol addresses source for destination port and in the non key item the interface output by its packets plus the application name. So here the application name we have the account on resolution again this NBAR is showing the capability of NBAR that is giving you the visibility for the application to check the application flow as well. Now we have complete replenishment for IP accounting keyword where you can go and check which IPS are using how much volume. So here you can see that we can go and use this IP for DSCP Bytes long.
So that’s the counter counter bites long, counter packet long and then they collect application name so we have application visibility and then we have the IP accounting and then we have the DSCP matching as well. If you want to analyze the qSQ hierarchy for QS so this is the QS configuration we already know about QS, we have learned about that so you have the parent and you have the child policies inside child you have the class map like this and inside class map you are matching certain DSP. Now how inside the flow we can match it again in the optional field. We have option that we can go and collect the policy and qSQ and drops again. This is just for the reference.
That how the protocols. Fleets are getting matched with which type of FNF statement so we can go and collect the application called SNMP server sender pop NNTP sip applications Http application so we have long list of application matching criteria that we can go and check inside the flow now how it is working behind the scene here you can see that in any of the flow they will go and extract the URL the agent, the application refer the application http host that’s the capability and that’s the visibility we have with respect to NBA. And finally, we have one example here that you want to have this record option. So here you can see the flow record, and in that record what you want to match so you want to match the data link mac data link mac VLAN TTL toss protocol suicide destination address and then finally you have the optional that’s the key and non key option as well those things you can go and match.
14. Flexible Netflow
Now, let’s see. That how we can go and do the configuration for flexible NetFlow, I’m running 15 dot zero. So first of all, I can go and give the exporter version, and then we can go and create the flow. And then we have this exporter. So let’s do that. Say flow, exporter, my exporter. And then I can go and give the destination that is my local server as a destination. Then we should go and create the flow record so for that we have flow record say my record and then I can go and match various parameters so what is the destination address then? Match these are the key values that we are matching here source address again you can see that with match option what are the things you have? So we have the option to match the application as well for the NBA and I can go and use the match and then the application name and we can leave it so system will automatically understand that each application is going and it will go and match again. You can see that inside the match you have application data, link flow interfaces, IPV four IPV six routing and the transport as well say routing destination. You can see that we can go and match the as and the traffic index as well for the BCP. So we have these robust options related to match. Then we can go and use the collect inside. Collect? We can go and use the counter for byte counter for packets you can see with collect option we can go and collect the application and then the name now flow record field is already present so already we have given this field in the key. So it’s not required to give in the non key as that we have already defined in the key. But you can see that we have options related to non key item as well. Some of the options are there in key as well. If you define in the key that has a higher preference that will not go and take in the non key. All right, so once we define the flow record then we can go and create the monitor and inside monitor we can call all these things that we have created earlier means we can go and call the exporter that is my exporter. I can go and call the record that is my record and then finally you have to go and apply this monitor over the interface so I can go to my interface and then I can go and use this monitor word that’s my monitor in the input direction and it is taking a while because we have enabled the applications as well. Whenever you are enabling the in bar that’s indirectly the application it will go and take some time to apply it.
Once it is done then we’ll get the line so these are the things that we should go and check and enable so define the exporter, define the record. Call inside the monitor and then apply it. You can go to the output as well. And then we can go and check show flow monitor. If you know what is your monitor name, we can go and give the monitor name. Okay. Apart from that, we can go and verify the flow interface. If I know the interface name, I can go and check. Then we have the flow record. If you have multiple records, you can go and select and you can selectively go and check this. So this is the way that we can go and flexible NetFlow.